The data protection angle…
GDPR is all about understanding the risk and exposure around customer data, which is crucial for financial institutions. Most firms hold records that are of real value to the customer, so any breach has a massive impact from a reputational perspective and also financially, as they are liable to giant fines if they are found to have poor controls.
GDPR will have a significant impact on the sales and marketing functions of financial firms, which will be challenged to prove customers have given their absolute consent that they are happy to be marketed to. Simple enough on the surface, but actually poses a massive challenge, given the over reliance of many organisations, banks particularly, on legacy architecture and the fact they have multiple data repositories. It’s not only data stored in the UK – many firms have offshored business processes, so customers’ data can be stored or accessed in different jurisdictions around the world. Wherever the data of European customers is stored, GDPR applies. GDPR compliance is complex and its implications are far reaching.
GDPR may also test our ‘special relationship’ with the USA, as an American based company selling to a European customer is caught by GDPR, so has to meet the standards, even when data is held outside Europe. Some of our colleagues from across the pond are already asking questions and the answer will be a nasty surprise to many.
PSD2 – the ying to GDPR’s yang?
One of the biggest challenges for the safe implementation of GDPR processes is PSD2, the legislation aiming to boost competition in financial services. PSD2 dictates financial firms have to open up their architecture, using Application Programming Interfaces (APIs), to share relevant information with third parties.
This may conflict with GDPR and as a result, there is a complex Venn diagram emerging between the two regulations. Everyone understands the need to increase competition in financial services, but PSD2 could be seen as in conflict with the core principles of what GDPR is attempting to do. An interesting dichotomy between data control, risk awareness, competition and being compliant has arisen.